Slashdot Mirror

← Back to Stories (view on slashdot.org)

Conficker Downloads Payload

Posted by CmdrTaco on from the still-the-best-name-ever dept.

nk497 writes "Conficker seems to finally be doing something, a week after hype around the worm peaked on April Fool's Day. It has now downloaded components from the Waledac botnet, which could contain rootkit capabilities. Trend Micro security expert Rik Ferguson said: 'These components have so far been missing, but could this finally be the "other boot dropping" that we have all been been waiting for?' Ferguson also suggested that people behind Conficker could be the very same who are running Waledac and created the Storm botnet. 'It tallies with some of the assumptions people have made about Conficker — that the first variant was actively trying to avoid the Ukraine because Waledac was Eastern European,' Ferguson added."

5 of 273 comments (clear)

  1. actual article by phantomcircuit · · Score: 4, Informative

    http://blog.trendmicro.com/downadconficker-watch-new-variant-in-the-mix/

  2. Re:I gotta ask by Anonymous Coward · · Score: 5, Informative

    Conficker gets it's time from a lot of different time servers, not the local machine. I think the author might have thought about that when designing the worm...

  3. Re:I gotta ask by Z34107 · · Score: 5, Informative

    Conficker doesn't use the internal system clock; it polls various websites to find out the real date.

    If it can't connect to those websites, or gets an unexpected response, it assumes it's in a closed network and holes up.

    --
    DATABASE WOW WOW
  4. Re:I gotta ask by MyDixieWrecked · · Score: 5, Informative

    Why didn't someone infected with this, say last month, change their pc clock ahead...

    First of all, I'm sure that the payload itself wasn't made available until the last minute.

    Second, if it were me who wrote the virus, I would have written it to *start* looking for a payload, start looking in no particular place, and continue looking until it's been found. Considering that it's getting its payload from an established botnet, it could just be poking around looking for machines that can give it its payload and the payload wasn't made available until today.

    When you have control of as many machines as the Storm or Waledac botnets, the world really is your oyster. You're not restricted by IPs, and if your botnet is large enough, you can just iterate through addresses looking for a system that has your payload for you. Without access to the botnet or the payload, it doesn't matter how much you reverse engineer or adjust your clock, you just can't predict what will happen in the future.

    --



    ...spike
    Ewwwwww, coconut...
  5. Ever have one of those moments... by gillbates · · Score: 5, Informative

    When you realize you are uncontrollably in love with someone? That you and this person sitting beside you are soul mates? That you were meant for each other?

    That moment for me came a few weeks ago. Yes, my wife and I have been married several years, but she was a Windows user when we met. Sure, she'd grown up in a diverse family - both Macs and PCs, but most of her experience was on Windows.

    About a year ago I replaced Windows with Ubuntu on the family laptop. She kind of grudgingly went along with it.

    Then, last week we were watching the news when the anchor broke the story of conficker. Without missing a beat, she turned to me and in roll-your-eyes-I-can't-believe-they're-so-stupid kind of voice said:

    "That's a Windows thing, isn't it?"

    "Yep," I replied.

    "Hmmm. Sucks to be them, I guess..."

    Linux evangelists take note: sometimes it takes people *years* to come around. But when they do, when they realize they no longer have to WORRY about viruses and other Windows-specific crap, it's priceless.

    --
    The society for a thought-free internet welcomes you.